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Abstract. We analyze the multivariate generalization of Howgrave-Graham's 
algorithm for the approximate common divisor problem. In the m-variable case 
with modulus TV and approximate common divisor of size N@ , this improves 
the size of the error tolerated from to + ^ , under a commonly 

used heuristic assumption. This gives a more detailed analysis of the hardness 
assumption underlying the recent fully homomorphic cryptosystem of van Dijk, 
Gentry, Halevi, and Vaikuntanathan. While these results do not challenge the 
suggested parameters, a 2 n approximation algorithm with e < 2/3 for lattice 
basis reduction in n dimensions could be used to break these parameters. We 
have implemented our algorithm, and it performs better in practice than the 
theoretical analysis suggests. 

Our results fit into a broader context of analogies between cryptanalysis 
and coding theory. The multivariate approximate common divisor problem is 
the number-theoretic analogue of multivariate polynomial reconstruction, and 
we develop a corresponding lattice-based algorithm for the latter problem. In 
particular, it specializes to a lattice-based list decoding algorithm for Parvaresh- 
Vardy and Guruswami-Rudra codes, which are multivariate extensions of 
Reed-Solomon codes. This yields a new proof of the list decoding radii for 
these codes. 



1. Introduction 

Given two integers, we can compute their greatest common divisor efficiently 
using Euclid's algorithm. Howgrave- Graham |19j formulated and gave an algorithm 
to solve an approximate version of this question, asking the question "What if 
instead of exact multiples of some common divisor, we only know approximations?" 
In the simplest case, we are given one exact multiple N — pqo and one near multiple 
a\ = pqi + ri, and the goal is to learn p, or at least pgcd(qo, qi). 

In this paper, we generalize Howgrave-Graham's approach to the case when 
one is given many near multiples of p. The hardness of solving this problem for 
small p (relative to the size of the near multiples) was recently proposed as the 
foundation for a fully homomorphic cryptosystem [15]. Specifically, we can show 
that improving the approximation of lattice basis reduction for the particular lattices 
L we are looking at from 2 dlmL to 2( dlmL ' e with e < 2/3 would break the suggested 
parameters in the system. See Section [3] for the details. The approximate common 
divisor problem is also closely related to the problem of finding small solutions to 
multivariate polynomials, a problem first posed by Coppersmith [S], and whose 
various extensions have many applications in cryptanalysis 0]. 
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The multivariate version of the problem allows us to improve the bounds for 
when the approximate common divisor problem is solvable: given N = pq and m 
randomly chosen approximate multiples a, = pqi + r, of p = N@ , as well as upper 
bounds Xi for each |rj|, we can find the perturbations when 

In other words, we can compute approximate common divisors when r\ is as large 
as N@ . For m = 1, we recover Howgrave-Graham's theorem [IS], which 

handles errors as large as . As the number m of samples grows large, our bound 
approaches N@ , i.e., the size of the approximate common divisor p. Our algorithm 
runs in polynomial time for fixed m. We cannot rigorously prove that it always 
works, but it is supported by a heuristic argument and works in practice. 

There is an analogy between the ring of integers and the ring of polynomials over a 
field. Under this analogy, finding a large approximate common divisor of two integers 
is analogous to reconstructing a polynomial from noisy interpolation information, as 
we explain in Section |1.2.2| One of the most important applications of polynomial 
reconstruction is decoding of Reed-Solomon codes. Guruswami and Sudan [T7] 
increased the feasible decoding radius of these codes by giving a list-decoding 
algorithm that outputs a list of polynomially many solutions to a polynomial 
reconstruction problem. The analogy between the integers and polynomials was 
used in [8] to give a proof of the Guruswami-Sudan algorithm inspired by Howgrave- 
Graham's approach, as well as a faster algorithm. 

Parvaresh and Vardy [2HJ developed a related family of codes with a larger list- 
decoding radius than Reed-Solomon codes. The decoding algorithm corresponds to 
simultaneous reconstruction of several polynomials. 

In this paper, we observe that the problem of simultaneous reconstruction of 
multiple polynomials is the exact analogue of the approximate common divisor 
problem with many inputs, and the improved list-decoding radius of Parvaresh- 
Vardy codes corresponds to the improved error tolerance in the integer case. We 
adapt our algorithm for the integers to give a corresponding algorithm to solve the 
multiple polynomial reconstruction problem. 

This algorithm has recently been applied to construct an optimally Byzantine- 
robust private information retrieval protocol |14j . The polynomial lattice methods we 
describe are extremely fast in practice, and they speed up the client-side calculations 
by a factor of several thousand compared with a related scheme that uses the 
Guruswami-Sudan algorithm. See |14j for more information and timings. 

1.1. Related work. Howgrave- Graham first posed the problem of approximate 
integer common divisors in |19j . and used it to address the problem of factoring 
when information is known about one of the factors. His algorithm gave a different 
viewpoint on Coppersmith's proof [9J that one can factor an RSA modulus N = pq 
where p s» q ps \/~N given the most significant half of the bits of one of the 
factors. This technique was applied by Boneh, Durfee, and Howgrave-Graham 
[5j to factor numbers of the form p r q with r large. Jochemsz and May J3UJ and 
Jutla PT| considered the problem of finding small solutions to multivariate polynomial 
equations, and showed how to do so by obtaining several equations satisfied by the 
desired roots using lattice basis reduction. Herrmann and May |18j gave a similar 
algorithm in the case of finding solutions to multivariate linear equations modulo 
divisors of a given integer. They applied their results to the case of factoring with 
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bits known when those bits might be spread across log log N chunks of p. Notably, 
their results display similar behavior to ours as the number of variables grows 
large. Van Dijk, Gentry, Halevi, and Vaikuntanathan [TS] discuss extensions of 
Howgrave-Graham's method to larger m and provide a rough heuristic analysis in 
Appendix B.2 of the longer version of their paper available on the Cryptology ePrint 
Archive. 

Chen and Nguyen [7] gave an algorithm to find approximate common divisors 
which is not related to the Coppersmith/Howgrave-Graham lattice techniques and 
which provides an exponential speedup over exhaustive search over the possible 
perturbations. 

In addition to the extensive work on polynomial reconstruction and noisy poly- 
nomial interpolation in the coding theory literature, the problem in both the single 
and multiple polynomial cases has been used as a cryptographic primitive, for 
example in [53], and [T] (broken in dJ). Coppersmith and Sudan [TU] gave an 
algorithm for simultaneous reconstruction of multiple polynomials, assuming random 
(rather than adversarially chosen) errors. Bleichenbacher, Kiayias, and Yung [2] 
gave a different algorithm for simultaneous reconstruction of multiple polynomials 
under a similar probabilistic model. Parvaresh and Vardy [25] were the first to 
beat the list-decoding performance of Reed-Solomon codes for adversarial errors, by 
combining multiple polynomial reconstruction with carefully chosen constraints on 
the polynomial solutions; this allowed them to prove that their algorithm ran in 
polynomial time, without requiring any heuristic assumptions. Finally, Guruswami 
and Rudra |16] combined the idea of multi-polynomial reconstruction with an op- 
timal choice of polynomials to construct codes that can be list-decoded up to the 
information-theoretic bound (for large alphabets). 

1.2. Problems and results. 

1.2.1. Approximate common divisors. Following Howgrave- Graham, we define the 
"partial" approximate common divisor problem to be the case when one has N = pqo 
and m approximate multiples a, = pqi + r^ of p. We want to recover an approximate 
common divisor. To do so, we will compute r%, . . . , r m , after which we can simply 
compute the exact greatest common divisor of N, a\ — f*i, . . . , a m — r rn . 

If the perturbations rj are allowed to be as large as p, then it is clearly impossible 
to reconstruct p from this data. If they are sufficiently small, then one can easily 
find them by a brute force search. The following theorem interpolates between these 
extremes: as m grows, the bound on the size of fj approaches the trivial upper 
bound of p. 

Theorem 1 (Partial approximate common divisors). Given positive integers N, Oi, . . . , a 
and bounds (3 3> 1 / ylogiV and X% , . . . , X m , we can find all ri, . . . , r m such that 

gcd(iV,ai -r 1 ,...,a m -r m )> N 

and \r%\ < Xi, provided that 

y/X 1 ...X m < AKi+°(D)/3 (m+1)/m 

and that the algebraic independence hypothesis discussed in Section^ holds. The 
algorithm runs in polynomial time for fixed m, and the ^> and o(l) are as N — > oo. 

For m = 1, this theorem requires no algebraic independence hypothesis and is 
due to Howgrave- Graham [T5]. For m > 1, not all inputs N,a±, . . . ,a m will satisfy 
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the hypothesis. Specifically, we must rule out attempting to improve on the m = 1 
case by deriving 02, ... , a m from a%, for example by taking to be a small multiple 
of ai plus an additional perturbation (or, worse yet, a\ = ■■ ■ = a m ). However, we 
believe that generic integers will work, for example integers chosen at random from 
a large range, or at least integers giving independent information in some sense. 

We describe our algorithm to solve this problem in Section [2| We follow the 
general technique of Howgrave-Graham: we use LLL lattice basis reduction to 
construct m polynomials for which r%, . . . ,r m are roots, and then we solve the 
system of equations. The lattice basis reduction is for a lattice of dimension at most 
/31ogiV, regardless of what to is, but the root finding becomes difficult when to is 
large. 

This algorithm is heuristic, because we assume we can obtain to short lattice 
vectors representing algebraically independent polynomials from the lattice that 
we will construct. This assumption is commonly made when applying multivariate 
versions of Coppersmith's method, and has generally been observed to hold in 
practice. See Section [2] for more details. This is where the restriction to generic 
inputs becomes necessary: if a±, . . . , a m are related in trivial ways, then the algorithm 
will simply recover the corresponding relations between r±, . . . ,r m , without providing 
enough information to solve for them. 

Note that we are always able to find one nontrivial algebraic relation between 
ri, . . . , r m , because LLL will always produce at least one short vector. If we were 
provided in advance with m — 1 additional relations, carefully chosen to ensure that 
they would be algebraically independent of the new one, then we would have no 
need for heuristic assumptions. We will see later in this section that this situation 
arises naturally in coding theory, namely in Parvaresh-Vardy codes [28j. 

The condition (3^1/ ^/log N arises from the exponential approximation factor 
in LLL. It amounts to N 13 ^> 1. An equivalent formulation is \ogp 7S> \/log N; i.e., 
the number of digits in the approximate common factor p must be more than the 
square root of the number of digits in N. When m = 1, this is not a restriction 
at all: when p is small enough that N@ is bounded, there are only a bounded 
number of possibilities for r\ and we can simply try all of them. When to > 1, the 
multivariate algorithm can handle much larger values of for a given p, but the 
logp ^> y/log N condition dictates that p cannot be any smaller than when m = 1. 
Given a lattice basis reduction algorithm with approximation factor 2( dmli ) e , one 
could replace this condition with @ 1+e \ogN ^> 1. If e = 1/m, then the constraint 
could be removed entirely in the to- variable algorithm. See Section [2] for the details. 

The logp S> y/log N condition is the only thing keeping us from breaking the 
fully homomorphic encryption scheme from |15j . Specifically, improving the approx- 
imation of lattice basis reduction for the particular lattices L we are looking at to 
2(dimL) E e < 2/3 would break the suggested parameters in the system. See 

Section [3] for the details. 

We get nearly the same bounds for the "general" approximate common divisor 
problem, in which we are not given the exact multiple N . 

Theorem 2 (General approximate common divisors). Given positive integers 
ai,...,a m (with a,i ~ N for all i) and bounds /? ^> l/v / foglV and X, we can 
find all r\, . . . ,r m such that 

gcd(a! - n, . . . , a m - r m ) > N p 
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and \ri\ < X, provided that 



where 



C, 



1 - 1/to 2 

777,1/ (m — 1) 



1 - 



logm 



m 



and that the algebraic independence hypothesis holds. The algorithm runs in polyno- 
mial time for fixed m, and the 3> and o(l) are as N — > oo. 

Again, for to = 2, this result is due to Howgrave-Graham |19j . and no algebraic 
independence hypothesis is needed. 

The proof is very similar to the case when TV is known, but the calculations are 
more tedious because the determinant of the lattice is more difficult to bound. See 
Section l2~2l for the details. 

In [IS], Howgrave-Graham gives a more detailed analysis of the behavior for 
to = 2. Instead of our exponent C 2 fi 2 = |/3 2 , he gets 1 — /3/2 — y/l- /3- fi 2 /2, 
which is asymptotic to |/3 2 for small f3 but is slightly better when fj is large. We 
are interested primarily in the case when /? is small, so we have opted for simplicity, 
but one could carry out a similar analysis for all m. 

1.2.2. Noisy multi-polynomial reconstruction. Let F be a field. Given to single- 
variable polynomials gi(z), . . . , g m (z) over F and n distinct points z\, . . . , z n in F, 
evaluating the polynomials at these points yields mn elements y^j — gi(zj) of F. 

The noisy multi-polynomial reconstruction problem asks for the recovery of 
gi,...,g m given the evaluation points z\,...,z n: degree bounds li on g.^ and 
possibly incorrect values yij. Stated more precisely: we wish to find all TO-tuples 
of polynomials (<?i, . .. ,g m ) satisfying deg(^ < 1^ for which there are at least fin 
values of j such that gi(zj) = j/y for all i. In other words, some of the data may 
have been corrupted, but we are guaranteed that there are at least /3n points at 
which all the values are correct. 

Bleichenbacher and Nguyen [5] distinguish the problem of "polynomial reconstruc- 
tion" from the "noisy polynomial interpolation" problem. Their definition of "noisy 
polynomial interpolation" involves reconstructing a single polynomial when there 
are several possibilities for each value. The multivariate version of this problem can 
be solved using Theorem [5| 

This problem is an important stepping stone between single- variable interpolation 
problems and full multivariate interpolation, in which we reconstruct polynomials 
of many variables. The multi-polynomial reconstruction problem allows us to take 
advantage of multivariate techniques to prove much stronger bounds, without having 
to worry about issues such as whether our evaluation points are in general position. 

We can restate the multi-polynomial reconstruction problem slightly to make 
the analogy with the integer case clear. Given evaluation points Zj and values t/y, 
define N(z) — Ylj(z — Zj), and use ordinary interpolation to find polynomials fi(z) 
such that fi{zj) = y^. Then we will see shortly that g\, . . . ,g m solve the noisy 
multi-polynomial reconstruction problem iff 

deggcd(/i(2) - gx(z),.. . ,f m (z) - g m (z),N(z)) > fJn. 

This is completely analogous to the approximate common divisor problem, with 
N(z) as the exact multiple and fi(z), . . . , f m (z) as the approximate multiples. 
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To see why this works, observe that the equation gi(zj) = is equivalent 
to gi(z) = yij (mod z - zj). Thus, g^Zj) = fi(zj) = y^ iff /;(z) - g^z) = 
(mod z — Zj), and deggcd(/j(,z) — gi(z), N(z)) counts how many j satisfy gi(zj) = yij. 
Finally, to count the j such that gi(zj) = yij for all i, we use 

deggcd(/i(z) - 5 i (z), ... , f m (z) - g m (z),N{z)). 

This leads us to our result in the polynomial case. 

Theorem 3. Given polynomials N(z), fi(z), . . . , f m (z) and degree bounds i\, . . . , £ m , 
we can find all g\ (z) , . . . , g m (z) such that 

deggcd(/ 1 (z) - 9l (z), . . . , f m (z) - g m (z),N(z)) > (3degN(z) 

and deg g^ < ti, provided that 

{ ' 1 + --- +e ™ < /3(™+ 1 )/™deg7V(z) 
m 

and that the algebraic independence hypothesis holds. The algorithm runs in polyno- 
mial time for fixed m. 

As in the integer case, our analysis depends on an algebraic independence hy- 
pothesis, but it may be easier to resolve this issue in the polynomial case, because 
lattice basis reduction is far more effective and easier to analyze over polynomial 
rings than it is over the integers. 

Parvaresh-Vardy codes |28j are based on noisy multi-polynomial reconstruction: 
a codeword is constructed by evaluating polynomials fi,...,f m at points Zi,...,z n 
to obtain run elements fi{zj). In their construction, / l7 . . . , f m are chosen to satisfy 
m — 1 polynomial relations, so that they only need to find one more algebraically 
independent relation to solve the decoding problem. Furthermore, the m—1 relations 
are constructed so that they must be algebraically independent from the relation 
constructed by the decoding algorithm. This avoids the need for the heuristic 
assumption discussed above in the integer case. Furthermore, the Guruswami-Rudra 
codes [16! achieve improved rates by constructing a system of polynomials so that 
only n symbols need to be transmitted, rather than mn. 

Parvaresh and Vardy gave a list-decoding algorithm using the method of Gu- 
ruswami and Sudan, which constructs a polynomial by solving a system of equations 
to determine the coefficients. In our terms, they proved the following theorem: 

Theorem 4. Given a polynomial N(z) and m polynomials fi(z), . . . , f m {z), and 
degree bounds l\, . . . , £ m , we can find a nontrivial polynomial Q(xi, . . . , x m ) with 
the following property: for all gi(z), . . . ,g m (z) such that 

deggcd(/ 1 (z) - 9l (z), . . . , f m (z) - g m {z),N{z)) > P deg N(z) 

and deg gi < I j, we have 

Q(gi{z),...,g m (z)) = 0, 

provided that 

" f l,n < ^ m+1 ^ m deg N{z). 



m 

The algorithm runs in polynomial time. 

In Section [4j we give an alternative proof of this theorem using the analogue 
of lattice basis reduction over polynomial rings. This algorithm requires neither 
heuristic assumptions nor conditions on /3. 
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2. Computing approximate common divisors 

In this section, we describe our algorithm to solve the approximate common 
divisor problem over the integers. 

To derive Theorem [TJ we will use the following approach: 

(1) Construct polynomials Q%, . . . , Q m of m variables such that 

Qi(ri, . . . ,r m ) = 

for all ri , . . . , r m satisfying the conditions of the theorem. 

(2) Solve this system of equations to learn candidates for the roots r%, . . . , r m . 

(3) Test each of the polynomially many candidates to see if it is a solution to 
the original problem. 

In the first step, we will construct polynomials Q satisfying 

Q(ri,...,r TO ) = (mod?/) 

(for a k to be chosen later) whenever = (mod p) for all i. We will furthermore 
arrange that 

|Q(n,...,r m )| <N? k . 

These two facts together imply that Q(ri, . . . , r m ) — whenever p > N@. 

To ensure that Q(r%, . . . , r m ) = (mod p k ), we will construct Q as an integer 
linear combination of products 

{xi - aif 1 . . . (x m - a m )' lm N e 

with ii H — • + i m + i > k. Alternatively, we can think of Q as being in the integer 
lattice generated by the coefficient vectors of these polynomials. To ensure that 
\Q(r\, . . . , r m )| < N@ k , we will construct Q to have small coefficients; i.e., it will be 
a short vector in the lattice. 

More precisely, we will use the lattice L generated by the coefficient vectors of 
the polynomials 

(X lXl - ai) 41 . . . (X m x rn - a m ) lm N e 

with ii + • • • +i m < t and I — max (fc — J"^- ij , 0) . Here t and k are parameters to be 
chosen later. Note that we have incorporated the bounds X\, . . . , X m on the desired 
roots ri, . . . ,r m into the lattice. We define Q to be the corresponding integer linear 
combination of (x\ ~ ai) 11 ... (x m — a m ) lm N l , without X\, . . . , X m . 

Given a polynomial Q(xi, . . . , x m ) corresponding to a vector v £ L, we can bound 
\Q(ri, . . . ,r m )\ by the i\ norm Specifically, if 

Q(x\ , . . . , Xm) ^ Qjl»-jm X l • ■ • X rn ' 
31 3r» 

then v has entries qj 1 , ^ m X( 1 . . . X-j^ , and 

|Q(n,...,r m )|< J] |g J - 1 ... im ||r 1 r...|r m p- 

31, ■■■,3m 

= Hi. 

Thus, every vector v G L satisfying |f |i < A^^ fc gives a polynomial relation between 

' 1 1 • • • i 'm • 
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It is straightforward to compute the dimension and determinant of the lattice: 

dimi — ( 

\ m 

and 

detL = (X 1 ...X m )( t+ ^)^N( k ™ m )^. 

To compute the determinant, we can choose a monomial ordering so that the basis 
matrix for this lattice is upper triangular; then the determinant is simply the product 
of the terms on the diagonal. 

Now we apply LLL lattice basis reduction to L. Because all the vectors in L are 
integral, the m shortest vectors V\ , . . . , v m in the LLL- reduced basis satisfy 

M < < \v m \ < 2( dimi )/ 4 (dctL) 1 /( dimL+1 - m ) 

(see Theorem 2 in [T5]), and |u|i < \AlimL \v\ by Cauchy-Schwarz, so we know that 
the corresponding polynomials Q satisfy 

\Q(ri,...,r m )\ < Voh^iL2( dimL )/ 4 (detL) 1 /( dimi+1 ^ m ). 

If 



(2.1) Vdim L 2( dimi )/ 4 det L^ (dim L + l ~ m ) < N fjk , 

then we can conclude that Q(ri, ■ ■ . , r m ) = 0. 

If t and k are large, then we can approximate (*+ m ) with t m /m\ and ( k ~!^ n ) 
with k m /m\. The VdimL factor plays no significant role asymptotically, so we 
simply omit it (the omission is not difficult to justify). After taking a logarithm 
and simplifying slightly, our desired equation (2.1) becomes 

t m 1 fm\og 2 Xt log 2 Nk m \ ni 

< P\og 2 N 



4fcm! I _ \ m + 1 k m + 1 t r - 



1- t -. 

where X denotes the geometric mean of X\ , . . . , X m . 

The i m /(4fcm!) and (m—l)m\/t m terms are nuisance factors, and once we optimize 
the parameters they will tend to zero asymptotically. We will take t ps /3 _1 / m fc and 
logX re p( m+1 ^ m \ogN. Then 

mlogXt \ogN k m in 1 01 Ar al Ar 

TTZ + ^T7^ ~ — rPlog N+-- /3 log N = /?logiV. 

m + 1 K m + lr m + 1 m+1 

By setting \ogX slightly less than this bound (by a 1 + o(l) factor), we can achieve 
the desired inequality, assuming that the 1 — (m — l)l/t m and £ m /(4fcm!) terms do 
not interfere. To ensure that they do not, we take t 3> m and t m /3 log TV as 
N — > oo. Note that then dimL < /31og N, which is bounded independently of m. 
Specifically, when N is large we can take 

(/3 log TV) 1 /™ 



t 

and 



G8 2 log jV)V(2m) 



k = \p x l m t\ « (^logiV) 1 ^ 2 ™). 

With these parameter settings, t and k both tend to infinity as N —> oo, because 
1 \ogN — > oo, and they satisfy the necessary constraints. We do not recommend 
using these parameter settings in practice; instead, one should choose t and k 
more carefully. However, these choices work asymptotically. Notice that with this 
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approach, 1 logiV must be large enough to allow t/k to approximate ft" 1 !™ . This 
is a fundamental issue, and we discuss it in more detail in the next subsection. 

The final step of the proof is to solve the system of equations defined by the m 
shortest vectors in the reduced basis to learn n, . . . , r m . One way to do this is to 
repeatedly use resultants to eliminate variables; alternatively, we can use Grobner 
bases. See, for example, Chapter 3 of [13] . 

One obstacle is that the equations may be not algebraically independent, in 
which case we will not have enough information to complete the solution. In the 
experiments summarized in Section [6j we sometimes encountered cases when the to 
shortest vectors were algebraically dependent. However, in every case the vectors 
represented either (1) irreducible, algebraically independent polynomials, or (2) 
algebraically dependent polynomials that factored easily into polynomials which 
all had the desired properties. Thus when the assumption of algebraic dependence 
failed, it failed because there were fewer than to independent factors among the m 
shortest relations. In these cases, there were always more than to vectors of t\ norm 
less than N l3k , and we were able to complete the solution by using all these vectors. 
This behavior appears to depend sensitively on the optimization of the parameters 
t and k. 

2.1. The f3 2 \ogN 1 requirement. The condition that (3 2 \ogN ^ 1 is not 
merely a convenient assumption for the analysis. Instead, it is a necessary hypothesis 
for our approach to work at all when using a lattice basis reduction algorithm with 
an exponential approximation factor. In previous papers on these lattice-based 
techniques, such as [9] or [19], this issue seemingly does not arise, but that is because 
it is hidden in a degenerate case. When to = 1, we are merely ruling out the cases 
when the bound N@ on the perturbations is itself bounded, and in those cases the 
problem can be solved by brute force. 



To see why a lower bound on fP log N is necessary, we can start with ( |2.1| . For 
that equation to hold, we must at least have 2( dimL '/ 4 < N pk and (detL) 1 ^ HT ™ L ) < 
N@ k , and these inequalities imply that 



1 ft + TO 
4 V TO 



< (3k log 2 N 



and 



( fc r)iog 2 ^ 
cr)(-+i) 

Combining them with ( fe + m ) > k yields 



</3\og 2 N. 



</3 2 log 2 iV, 



4(to + 1) 

so we have an absolute lower bound for f3 2 log N. Furthermore, one can check that 
in order for the 2( dlmi )/ 4 factor to become negligible compared with N^ k , we must 
have j3 2 log N > 1. 

Given a lattice basis reduction algorithm with approximation factor 2( dlmi ) e , we 
could replace t m with t em in the nuisance term coming from the approximation 
factor. Then the condition t m <C /31ogiV would become t em <C /3 log TV, and if we 
combine this with k p l / m t, we find that 
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Because k > 1, the condition /3 1+£ logiV ^> 1 is needed, and then we can take 

(/31ogA0 1/(em) 

(/3 1+e log7V) 1 /(2em)_ 



t = 

and 



jfc = L/3 1/m tJ « (/3 1+e log^) 1/(2£m) . 

2.2. Theorem [2} The algorithm for Theorem [2] is identical to the above, except 
that we do not have an exact N, so we omit all vectors involving N from the 
construction of the lattice L. 

The matrix of coefficients is no longer square, so we have to do more work 
to bound the determinant of the lattice. Howgrave- Graham [Tj5] observed in the 
two-variable case that the determinant is preserved even under non-integral row 
operations, and he used a non-integral transformation to hand-reduce the matrix 
before bounding the determinant as the product of the £2 norms of the basis vectors; 
furthermore, the £2 norms are bounded by V dimL times the £oo norms. 

The non-integral transformation that he uses is based on the relation 

(Xi - at) (x\ - ax) = X{ x\. 

By adding a multiple of f{x)(x\ — ai), one can reduce f(x)(xi — ai) to f{x){xi— ^x\). 
The advantage of this is that if x\ ~ Xi and a\ ~ ai, then Xi — ^x\ may be much 
smaller than Xi — ai was. The calculations are somewhat cumbersome, and we will 
omit the details (see [05] for more information). 

When 01, . . . , a m are all roughly N (as in Theorem[2]), we get the following values 
for the determinant and dimension in the m-variable case: 

detL < (^(^-^('-^^-(m^-r^)^) 

and 

t + m\ fh — \ + 



dim L = 

m 

To optimize the resulting bound, we take t w (mj /3) 1 /( m_1 )fe. 

3. Applications to fully homomorphic encryption 

In |15j . the authors build a fully homomorphic encryption system whose se- 
curity relies on several assumptions, among them the hardness of computing an 
approximate common divisor of many integers. This assumption is used to build a 
simple "somewhat homomorphic" scheme, which is then transformed into a fully 
homomorphic system under additional hardness assumptions. In this section, we use 
our algorithm for computing approximate common divisors to provide a more precise 
understanding of the security assumption underlying this somewhat homomorphic 
scheme, as well as the related cryptosystem of |12j . 

For ease of comparison, we will use the notation from the above two papers (see 
Section 3 of [T5]). Let 7 be the bit length of N, r\ be the bit length of p, and p be 
the bit length of each T\. Using our algorithm, we can find r±, . . . ,r m and the secret 
key p when 

p < T/ j(m+l)/m 

Substituting in j3 = rj/j, we obtain 
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The authors of |15| suggest as a "convenient parameter set to keep in mind" to set 
p = A, r\ = A 2 , and 7 = A 5 . Using m > 3 we would be able to solve this parameter 
set, if we did not have the barrier that rj 2, must be much greater than 7. 



As pointed out in Section 1.2.1 this barrier would no longer apply if we could 
improve the approximation factor for lattice basis reduction. If we could improve 
the approximation factor to 2( dlmi ) e , then the barrier would amount to /3 1+e A 5 3> 1, 
where /? = 77/7 = A~ 3 . If e < 2/3, then this would no longer be an obstacle. 
Given a 2( dlmi ) 2/3 / logdlmi approximation factor, we could take m = 4, k = 1, and 
t = [3 A 3 / 4 J in the notation of Section^ Then (2.1) holds, and thus the algorithm 
works, for all A > 300. 

One might try to achieve these subexponential approximation factors by using 
blockwise lattice reduction techniques |27j . For an n-dimensional lattice, one can 
obtain an approximation factor of roughly n n / K in time exponential in k. For the 
above parameter settings, the lattice will have dimension on the order of A 3 , and even 
a 2™ approximation will require k > rt 1 / 3 = A, for a running time that remains 
exponential in A. (Note that for these parameters, using a subexponential-timc 
factoring algorithm to factor the modulus in the "partial" approximate common 
divisor problem is super-exponential in the security parameter.) 

In general, if we could achieve an approximation factor of 2( dlmi ) for arbitrarily 
small e, then we could solve the approximate common divisor problem for parameters 
given by any polynomials in A. Furthermore, as we will see in Section [6j the LLL 
algorithm performs better in practice on these problems than the theoretical analysis 
suggests. 

4. Multi-polynomial reconstruction 

4.1. Polynomial lattices. For Theorem [3] and Theorem |4j we can use almost 
exactly the same technique, but with lattices over the polynomial ring F[z] instead 
of the integers. 

By a d-dimensional lattice L over F[z], we mean the -F[z]-span of d linearly 
independent vectors in F[z] d . The degree degw of a vector v in L is the maximum 
degree of any of its components, and the determinant det L is the determinant of a 
basis matrix (which is well-defined, up to scalar multiplication). 

The polynomial analogue of lattice basis reduction produces a basis &i , . . . , for 
L such that 

deg(6i) H h dcg(b d ) = deg det L. 

Such a basis is called a reduced basis (sometimes column or row-reduced, depending 
on how the vectors are written), and it can be found in polynomial time; see, for 
example, Section 6.3 in 22J. If we order the basis so that deg(6i) < ■ • • < deg(bd), 
then clearly 

deg det L 



and more generally 



deg(fci) < 



a (u\^ deg det L 



(i-iy 



because 



d d 

deg det L - (d - (i - 1)) dcg(6,) = ^ deg(6, ) - ^ deg(6,) > 0. 
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These inequalities are the polynomial analogues of the vector length bounds in 
LLL-reduced lattices, but notice that the exponential approximation factor does 
not occur. See [5] for more information about this analogy, and [2] for applications 
that demonstrate the superior performance of these methods in practice. 

4.2. Theorems [3] and |4j In the polynomial setting, we will choose Q(x\, . . . , x m ) 
to be a linear combination (with coefficients from F[z\) of the polynomials 

(Si - /l(js))' 1 • • • (Zm - fm{z)) im N{zf 

with i\ + ■ ■ ■ + i m < t and £ — max(k — J2j , 0) . We define the lattice L to be 
spanned by the coefficient vectors of these polynomials, but with Xi replaced with 
z £i Xi to incorporate the bound on deg<?i, much as we replaced Xi with XiXi in 
Section 

As before, we can easily compute the dimension and determinant of L: 



dimi 



f + m 
m 



and 



, ft + m\ t fk + m 

degdetL=(£iH h £ m ) 



m I m + 1 \ rn 



1" 



where n = deg N(z). 

Given a polynomial Q{x\, . . . , x m ) corresponding to a vector v € L, we can bound 
deg<3(<?i(z), • ■ ■ ,g m (z)) by deg v. Specifically, suppose 



Q{x 1 ,...,x m ) = ^2 l3\-i m { z )°A 



n T Jm. 

m ! 



ill — ,3m 

then u is the vector whose entries are Q'i 1 ...j m (2)z- 31 him**^ anc l 
degQ(gi(z),...,g m (z)) < max (degg^...^- (2) +ji deggi(z) H h j m degg m {z)) 

3l, — ,3m 

< max (degq jl ... jm (z) + j\£\ H hjm^m) 

31, ■■■,3m 

= deg v. 

Let ui, . . . , Wdimi be a reduced basis of L, arranged in increasing order by degree. 

If 

f A t\ degdetL 

(4.1) r & , rv < /%n, 

dim L — (m — 1J 

then each of Ui , . . . , v m yields a polynomial relation Qi such that 

Qi(SiO)> ■ • -)5m(^)) = °. 

because by the construction of the lattice, Qi(gi(z), . . . , g m (z)) is divisible by the 
fc-th power of an approximate common divisor of degree f3n, while 

degQ t (gi(z), . . .,g m {zj) < degvi < /3kn. 

Thus, we must determine how large £\ + ■ ■ ■ + £ m can be, subject to the inequality 
(PI). 



If we set t& fc/3- 1 /™ and 

', -1 1- /L, 

1 < n/3 



*1 + ' " " + An „ „ o(m+l)/m 
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then inequality (4.1 ) is satisfied when t and k are sufficiently large. Because there is 
no analogue of the LLL approximation factor in this setting, we do not have to worry 
about t and k becoming too large (except for the obvious restriction that dim L must 
remain polynomially bounded), and there is no lower bound on f3. Furthermore, we 
require no 1 + o(l) factors, because all degrees are integers and all the quantities we 
care about are rational numbers with bounded numerators and denominators; thus, 
any sufficiently close approximation might as well be exact, and we can achieve this 
when t and k are polynomially large. 

5. Higher degree polynomials 

It is possible to generalize the results in the previous sections to find solutions of 
a system of higher degree polynomials modulo divisors of N. 

Theorem 5. Given a positive integer N and m monic polynomials hi(x), . . . , h m {x) 
over the integers, of degrees d\, . . . , d m , and given any ft 3> 1/yTog N and bounds 
X\, . . . , X m , we can find all ri, . . . ,r m such that 

gcd(N,h 1 (r 1 ),...,h m {r m )) > 

and \ri\ < Xi, provided that 

,(m + l)/r, 



and that the algebraic independence hypothesis holds. The algorithm runs in polyno- 
mial time for fixed m. 

The m = 1 case does not require the algebraic independence hypothesis, and it 
encompasses both Howgrave- Graham and Coppersmith's theorems [IH1IH]; it first 
appeared in [25] . 

When X\ = ■ ■ ■ = X m , the bound becomes N@ + where d = {d\ + ■ ■ • + 

dm) /nn is the average degree. 

Theorem 6. Given a polynomial N(z) and m monic polynomials h\{x), . . . , h m {x) 
over F[z], of degrees d\, . . . , d m in x, and given degree bounds £\, . . . , i m , we can 
find all gi(z), . . . , g m {z) in F[z] such that 

degg l cd(N(z),hi(g 1 (z)) ) ...,h m (g m (z))) > pdegN(z) 

and deg gi(z) < l{, provided that 

ildl + "' + lrndrn < deg N(z) 

m 

and that the algebraic independence hypothesis holds. The algorithm runs in polyno- 
mial time for fixed m. 

The algorithms are exactly analogous to those for the degree 1 cases, except that 
Xi — a, (or Xi — fi{z)) is replaced with hi(xi). 

6. Implementation 

We implemented the number-theoretic version of the partial approximate common 
divisor algorithm using Sage 29 . We used Magma [5] to do the LLL and Grobner 
basis calculations. 

We solved the systems of equations by computing a Grobner basis with respect to 
the lexicographic monomial ordering, to eliminate variables. Computing a Grobner 



14 



HENRY COHN AND NADIA HENINGER 



rn 


log 2 lV 




log 2 r 


t 


k 


dim L 


LLL 


Grobncr 


LLL factor 


1 


1000 


200 


36 


41 


8 


42 
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3 
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3 
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3 
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84 
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3 


2 


84 


3.97s 


1.34s* 


0.586 


7 
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7.73s 


1.046 


7 
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311 


3 


2 
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12.99s 


2.23s* 


0.568 


12 
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347 


1 


1 


13 


0.01s 


0.52s 


1.013 


18 
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364 


1 


1 


19 


0.03s 


1.08s 


1.032 


24 
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1 


25 


0.04s 


1.93s 


1.024 
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96 
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400 
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1 


1 


97 


1.71s 


27.94s 


1.040 



Table 1. Experimental results from our implementation of the 
integer partial approximate common divisor algorithm, with sample 
parameters for more extreme calculations in italics. 



basis can be extremely slow, both in theory and in practice. We found that it was 
more efficient to solve the equations modulo a large prime, to limit the bit length of 
the coefficients in the intermediate and final results. Because r\, . . . , r m are bounded 
in size, we can simply choose a prime larger than 2max^ |r,-|. 

We ran our experiments on a computer with a 3.30 GHz quad-core Intel Core i5 
processor and 8 GB of RAM. Table [T] shows a selection of sample running times 
for various parameter settings. For comparison, the table includes the m = 1 case, 
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which is Howgrave-Graham's algorithm. The italicized rows give example lattice 
dimensions for larger inputs to illustrate the limiting behavior of the algorithm. 

The performance of the algorithm depends on the ratio of t to k, which should be 
approximately Incorrectly optimized parameters often perform much worse 

than correctly optimized parameters. For example, when m — 3, log 2 N — 1000, 
and log 2 p = 200, taking (t, k) = (4, 2) can handle 84-bit perturbations r$, as one 
can see in Table [lj but taking (t, k) — (4, 3) cannot even handle 60 bits. 

For large m, we experimented with using the non-optimized parameters (t, k) = 
(1, 1), as reported in Tablejl] For the shortest vector only, the bounds would replace 
the exponent fj( m + 1 )/ m with (m + l)(3/m — l/m, which is its tangent line at (3 = 1. 
This bound is always worse, and it is trivial when /? < l/(m + 1), but it still 
approaches the optimal exponent /3 for large m. Our analysis does not yield a strong 
enough bound for the m-th largest vector, but in our experiments the vectors found 
by LLL are much shorter than predicted by the worst-case bounds, as described 
below. Furthermore, the algorithm runs extremely quickly with these parameters, 
because the lattices have lower dimensions and the simultaneous equations are all 
linear. 

The last column of the table, labeled "LLL factor," describes the approximation 
ratio obtained by LLL in the experiment. Specifically, LLL factor A means 

\v rn \ a A dimi (det£) 1/(dimi) , 

where v m is the m-th smallest vector in the LLL-reduced basis for L. Empirically, 
we find that all of the vectors in the reduced basis are generally quite close in size, 
so this estimate is more appropriate than using 1 / (dim L — (m — 1)) in the exponent 
(which we did in the theoretical analysis, in order to get a rigorous bound). The 
typical value is about 1.02, which matches the behavior one would expect from 
LLL on a randomly generated lattice, whose successive minima will all be close to 
det £i/(dimi) pg] _ A handful of our experimental parameters resulted in lattices 
whose shortest vectors were much shorter than these bounds; this tended to correlate 
with a small sublattice of algebraically dependent vectors. 

Because of this, the reduced lattice bases in practice contain many more than 
m suitable polynomials, and we were able to speed up some of the Grobner basis 
calculations by including all of them in the basis. For example, the m = 7, 
log 2 p = 200 Grobner basis calculation from Table [l] finished in 12 seconds using 
119 polynomials from the reduced lattice basis. 

We marked cases where we encountered algebraically dependent relations with an 
asterisk in Table [TJ In each case, we were still able to solve the system of equations 
by including more relations from the lattice (up to l\ norm less than N@ k ) and 
solving this larger system. 
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